What is Ransomware and Where did it Come From?

The first known incident of what we would now call Ransomware was in 1989 when computers became infected with what became to be known as “PC Cyborg”. This changed the attributes of user files to make them hidden and then encrypted their filenames. Users were then encouraged to pay $189 to the “PC Cyborg Corporation” to obtain a “repair tool”.

Fundamentally this is Ransomware. Malicious software that denies access to your files unless you pay money to the agent that created and deployed the software.

Ransomware came to prominence as an IT security issue in late 2013 when the infamous Cryptolocker first appeared. Cryptolocker was propagated by being sent as a seemingly innocent attachment in an email. Users would then open the attachment, which in reality was an executable file which would then start to modify the users files without their knowledge. This would spread to both their local files and files on network drives that they had permission to edit. At some point, the malicious software would then inform the user that their files have been encrypted and would then give instructions on paying a sum in Bitcoin (or a similarly anonymous currency service) in order to receive the decryption key and retrieve the files.

Cryptolocker’s thread was effectively ended in 2014 when a joint law enforcement operation was able to take down the bot-net that had been a key point of distribution but it has stuck as a verb, ie, “You’ve been cryptolockered”.

One of the more famous Ransomware incidents in the UK was in May 2017 when “WannaCry” spread quickly throughout NHS networks using an exploit that Microsoft had previously released patches for. These patches had either not been applied or it had spread through legacy equipment that, because they were past its end of life (EOL), patches had not been written for it. The NHS was probably the most prominent victim of this attack but victims also included Nissan, FedEx, Telefonica and others. In the days after the initial outbreak, it was discovered that 327 payments totalling around $130,000 had been transferred from a wide cross-section of businesses and individuals.

There are various lines of defence against Ransomware.

User Training.
Most often than not, it is a user opening a seemingly innocent attachment or clicking on an innocuous link who is often the initial cause of any ransomware incident. Sometimes they help propagate the attack by forwarding the email/link to others unaware of the danger this causes.

Anti-Virus.
Keeping your anti-virus updated is a key component of any defence strategy. As IT support specialists this is something we maintain on behalf of our clients. It may also be worth exploring a 3rd party service to scan your email before it reaches its final destination, whether this is an on-premise or cloud solution.

Regular Patching.
Microsoft releases patches for all of its major software every second Tuesday of the month (often referred to as “Patch Tuesday”) and an effective patch strategy should be one of the cornerstones in your management policy. Sometimes these patches introduce unwanted effects, so adding them to a ‘lab’ or ‘sandbox’ environment before wide-scale deployment is something to consider.

Frequent Backups.
If you are affected by Ransomware we DO NOT advise paying to retrieve data. it is common that victims make an anonymous and irretrievable payment, only for them never to hear anything from the perpetrator again. An effective backup strategy that backs up files at various stages of the day is a strong solution. Losing a few hours of work will always be preferable to losing everything. We would also recommend a third-party backup solution, as some Ransomware has been known to delete Volume Shadow Copy files (VSS) as part of the attack.

If you want to protect your business against malicious attacks or have a problem with a Ransomware attack, give us a call. As security and IT support specialists we’re here to help and happy to offer any advice we can.

Posted on: 30th August 2020.